IE7 Security in Brief

While Rob Franco and Chris Wilson were presenting and getting feedback at PDC, I spent most of my time in smaller discussions (for example, with Paul and Joe) about the security work we’ve done in IE. The discussions reminded me that, before most of the team was working on IE7, before Rob posted about our overall approach to IE7 security, we heard three things about IE and security over and over: "take it out of the operating system (or integrate it less), get rid of ActiveX, and rewrite IE to be secure."

Now, no one wants to hear what these steps (if done literally) would break. Windows applications (like the AOL client, or Office) use IE technologies to show users HTML email, to download files from the internet, and more. Similarly, no one wants to hear that every browser has its own ActiveX equivalent in order to support great technologies like Macromedia Flash and media players.

I wanted to step back from the threat-driven way we’ve thought about security for just one blog post and talk about our work in terms of what we heard people ask us for.

We heard people ask for more separation between the browser and Windows. In IE7, we built a containment wall around IE by running it in Protected Mode. In this mode, IE can browse the web but cannot install software (good or bad) or change settings on the user’s computer without explicit user consent. Because the foundation work to make this possible is in Windows Vista, this feature is not available on the XP version of IE7. Expect to read more about the details of how this works, and how IE balances compatibility (e.g. users still want their toolbars to work!) with security, in another post.

We heard people say that ActiveX controls had too much privilege. In IE7, we made sure that the only ActiveX controls available to IE were the ones intended for use on the internet. Microsoft Windows includes many, many ActiveX controls. For example, an application developer can use IE technology to browse the web inside her application by using a particular ActiveX. While only some ActiveX controls were intended for use inside IE by web sites, many of them identify themselves as available for use inside IE. We decided that allowing ActiveX controls to run in IE should be the exception, not the rule. IE7 will block all ActiveX controls from running in the browser except for controls that were explicitly intended for the browser. That list is under the user’s control. Of course, to keep mainstream web sites running, the most commonly used, clearly intended for the web, ActiveX controls (like Flash) will be on that list by default. We started getting feedback on this feature from developers at PDC. Expect a blog post with more detail so we can get your feedback on it before beta 2.

We heard people say that we should just start over from scratch. In IE7, we identified, via threat-modeling, the most critical parts of IE and focused our rewriting efforts on those parts. For example, we didn’t need to rewrite all HTML parsing in order to make IE more secure, but URL parsing and the enforcement of cross-domain security were clearly important parts to re-work this release. If you were at Rob’s PDC talk or if you have read about threat modeling, you’ll understand why we focused on threats rather than on rewriting for its own sake. While it’s hard to see the effects of these changes in every day browsing with IE7 (well, except for now supporting International Domain Names), these parts of the product are more resilient against attack and are still compatible with the web.

The things people asked for so much a year ago represent only a subset of what we did in IE7 and Windows Vista. I think the Phishing filter and other anti-fraud work that we’ve done is important. The Parental Controls work that teams showed at PDC is another aspect of protecting people while they’re using the internet. None of this security counts unless corporations can deploy it; we’ve done work (like the application compatibility tool and better Group Policy support) to make deployment easier. There’s also additional functionality around the user experience of security that will come out with beta 2.